Fleet Server

After logging into our elastic web interface using the password generated during installation, select “explore on my own”. Select Fleet under management in the hamburger dropdown menu. There will be a brief loading screen before the server prompts us to add a fleet server.

The process has 7 numbered steps:

1. Leave the dropdown as “Default Fleet Server Policy”
2. Skip this for now
3. Select the radio button for “production”
4. Add https://, your server’s IP address, and the 8220 port, then hit the “Add Host” button. This will take a second and then produce a completion message. IMAGE
5. Click the “Generate Service Token” and copy the resulting token to a safe location. IMAGE
6. This section provides the commands to start the server. However, we are not quite ready for that yet. Remember, we need to complete step 2, which we skipped earlier.
7. This will populate once we get everything working.

Next up we need to install Elastic Agent on the server. Back in the putty terminal we need to SSH into the server. Move to the /etc/fleet directory and download the compressed tar.gz file to install the elastic agent with the first command, decompress it with the second, and remove the tar.gz with the third.

sudo wget https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-7.17.6-linux-x86_64.tar.gz

sudo tar -xvf ./elastic-agent-7.17.6-linux-x86_64.tar.gz

sudo rm ./elastic-agent-7.17.6-linux-x86_64.tar.gz

Now, we can return to the browser and complete step 6. Select the Linux tab, copy the command, and past it into notepad or another text editing program. We need to make the following changes:

• Change “localhost” to the server’s IP
  • –fleet-server-es=http://localhost:9200 \
• Next, replace the four “PATH_TO” sections with the actual path’s for the certs and keys we created during installation.
  • –certificate-authorities=</etc/fleet/certs/ca/ca.crt> \
  • –fleet-server-es-ca=</etc/elasticsearch/certs/elasticsearch.crt> \
  • –fleet-server-cert=</etc/fleet/certs/fleet.crt> \
  • –fleet-server-cert-key=</etc/fleet/certs/fleet.key>

Now paste the newly crafted command from the text editor on to the command line. If you mess up one of the lines and get a bad install like I did, you can uninstall the elastic agent with the following command, then fix the install command and try again.

sudo /opt/Elastic/Agent/elastic-agent uninstall

If everything works as it should, you will see “Fleet Server Connected” on the web GUI. Finally step 7 done!

Now hit the continue button. You should now see the new agent listed on the Fleet page.

Now select fleet settings in the upper fight hand corner and change the Elasticsearch Host URL from local host to our servers IP address. Save and Apply Settings, the Apply Settings in the pop-up window.

Windows Policies

Next, we’re going to create a Windows policy that will determine what logs we will collect from windows systems. First, select “Agent policies” tab at the top of the Fleet page, then click the “Create agent policy” button. Give the policy a name, and a description, and ensure the “collect system logs and metrics” box is checked then hit the “Create agent policy” button.

Click on the new “Windows Endpoints” policy to bring us to a new page to add integrations. Click the add integrations button.

Along the left side of the integrations page, select the “security” category. Find and select “endpoint security” which will take us to its page. Click the “Add Endpoint Security” button in the top right.  

This will bring up a configuration page. Choose a name and description for this integration then click the “Save and Continue” button.

Once the process is complete, select “Add Elastic Agent later” on the pop-up message.

Next, go back to integrations, search for windows, and we’ll add a windows integration. Click the “Windows” integration and then the “Add Windows” button. As before, add a name and description and leave all sliders at their default. Click “Save and Continue” and again, “Add Elastic Agent later” on the pop-up.   

Windows Endpoint Setup

Now we move to our Windows 10 machine to set up the endpoint requirements. First, well test our connection with the PowerShell Test-NetConnection command. Make sure to open PowerShell with administrator privileges, well need it for some future commands.

Test-NetConnection -port 9200 192.168.113.25

Test-NetConnection -port 8220 192.168.113.25

Next we need to install Sysmon to help better monitor and log the events. It also includes SIEM agent integration which is why we need it here. Download the compressed .zip file and expand it with the following PowerShell commands.

Invoke-WebRequest -URI https://download.sysinternals.com/files/Sysmon.zip -OutFile "C:\Program Files\Sysmon.zip"

Expand-Archive "C:\Program Files\Sysmon.zip" -DestinationPath "C:\Program Files\Sysmon"

rm "C:\Program Files\Sysmon.zip"

Level Effect’s blog which I referenced during this process recommends a SwiftOnSecurity sysmon-conf file. https://github.com/SwiftOnSecurity/sysmon-config

We’ll grab the file and import it with the following commands.

cd "C:\Program Files\Sysmon"

Invoke-WebRequest -URI https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -OutFile "C:\Program Files\Sysmon\sysmonconfig-export.xml"

./sysmon.exe -accepteula -i sysmonconfig-export.xml

Next, well need to enable PowerShell Script block logging using the function below. This script will check the registry and, if needed, add a key and set its value to enable PowerShell script logging.

Now we need to add a trust relationship from the ELK stack’s certificate authority. For this windows machine, we’ll import the certificate with the command below. Make sure you are in the C:\Windows\System32 directory or change the file path in this command. If you would like to store the cert in another location, take note of it because it will be referenced in a command further on in the process. You will need to type “yes” to ensure you trust the ECDSA key fingerprint, then enter your ELK password, the one used to log into the Linux user. The certificate will then be imported.   

scp elk@192.168.113.25:/ca.crt ./
Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root -FilePath ./ca.crt

Finally, we’ll download the Elastic Agent. For windows, use the following command.

Start-BitsTransfer -Source https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-7.17.6-windows-x86_64.zip -Destination "C:\Program Files\elastic-agent.zip"|
Expand-Archive "C:\Program Files\elastic-agent.zip" -DestinationPath "C:\Program Files\elastic-agent"
rm "C:\Program Files\elastic-agent.zip"

Back over on the elastic Web GUI, select fleet, and then click the “Add Agent” button so we can add our new machine. Select “Windows Endpoints” or what every you named your policy from the Agent Policy dropdown. We can skip step 2 as we have already completed installing the agent on the windows machine. Select and copy the Windows command at the bottom of the page. The command will look like the one below with your token included.

.\elastic-agent.exe install --url=https://192.168.113.25:8220 --enrollment-token=YOUR TOKEN

After running the command, you should see a few lines finishing with “Elastic Agent has been successfully installed”.  

Back in the elastic Web GUI, we can now see our machine listed as an agent under the Fleets page.  

Navigate to dashboard under Analytics in the hamburger menu, select [System] Windows Overview, and we can see that data is now being ingested from our endpoint.

The next blog on this subject will likely be coming shortly as I add some additional agents and start learning my way around the system.